LiquidityPool::requestRedeemWithPermit
transaction can be front run with the different liquidity pool
#227
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
high quality report
This report is of especially high quality
M-03
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/LiquidityPool.sol#L240
Vulnerability details
Impact
The permit signature is linked only to the tranche token. That's why it can be used with any liquidity pool with the same tranche token. Since anyone can call
LiquidityPool::requestRedeemWithPermit
the following scenario is possible:requestRedeemWithPermit
. The user signs the permit and sends a transaction.This scenario assumes some user's negligence and usually doesn't lead to a significant loss. But in some cases (for example, USDY depeg) a user can end up losing significantly.
Proof of Concept
The test below illustrates the scenario described above:
Tools Used
Manual review
Recommended Mitigation Steps
One of the ways to mitigate this issue is to add some identifier of the liquidity pool to the permit message. This way permit will be linked to a specific liquidity pool.
Assessed type
Other
The text was updated successfully, but these errors were encountered: